Privacy Policy


Effective date: July 5, 2026 Last updated: July 9, 2026

This Privacy Policy should be read together with our Terms of Service.

1. Who this policy covers

This Privacy Policy describes how Cited, a product of Upfolio Labs Private Limited ("Company," "we," "us," "our," "it," "its"), collects, uses, and shares information when you use our website and product (together, the "Service"). It applies to visitors, free users, and paying customers alike.

2. Information we collect

Information you provide directly:

  • Email address (required for account creation via magic link, this is our only required identifier at signup)
  • Name (first and last name), if you provide it during onboarding or in your account settings, used to personalize your experience and communications
  • Information you provide during onboarding, such as your role, team, or goals, used to streamline and personalize your experience with the Service
  • Company domain and description (submitted when you create a project, this is business information about the company being audited, which may or may not be your own)
  • User-generated content, anything you create, submit, or edit within the Service, such as project names, notes, or content you produce using Cited
  • Payment information, handled by our payment processor; we store a subscription reference ID, billing interval, and billing country (for reporting purposes), never raw card details
  • Content of any support or contact-email correspondence
  • If you invite a collaborator: their email address, provided by you
  • If you connect Slack notifications: the webhook URL you provide, used only to deliver your project's notifications to your own workspace

Information collected automatically:

  • IP address (used for rate-limiting and abuse prevention, see our Terms of Service; retained as long as the associated account or audit run exists)
  • Session/authentication tokens (functionally necessary to keep you logged in, see the Cookies section below for the full range of cookies and similar technologies we use)
  • Product usage and analytics data, which features you use, pages you visit, and how you interact with the Service, used to operate, improve, and personalize the Service for you
  • Email consent status, whether you've opted into marketing emails, and, if applicable, bounce/complaint/unsubscribe status, used to honor your preferences and maintain deliverability

Information generated by using the Service:

  • Audit results: which companies AI systems recommend for prompts you've configured, evidence URLs, and the diagnostic content (gaps, generated assets) produced from that data
  • This data is primarily about companies and public buying-intent information, not about you as an individual. One exception: if you're a sole proprietor or freelancer auditing your own individually-owned business, that business data may itself constitute personal data about you specifically.

3. How we use information

To provide the Service (run audits, generate content, process payments, send notifications you've configured); to personalize your experience (using onboarding information and usage patterns to tailor what you see); to prevent abuse (rate limiting, fraud prevention on free-tier and Competitive Snapshot usage); to communicate with you about your account, billing, or changes to our terms; and for product analytics and improvement. We do not sell personal information to third parties.

Email communications specifically: we send two categories of email, treated differently. Transactional and service emails, magic-link sign-in links, billing receipts, security notices, and other updates necessary to operate your account, are not optional; they're part of delivering the Service you signed up for. Marketing emails, product updates, offers, and other promotional content, are sent only if you've explicitly opted in, either at signup or in your account settings. Marketing emails may include tracking (such as whether the email was opened or a link was clicked) for analytics purposes. You can withdraw marketing consent at any time via the unsubscribe link in every marketing email, or from your account settings; we honor opt-out requests within 10 business days. We record your consent choice (opted in or out, and when) so we can demonstrate compliance if requested.

4. Who we share information with

We use a small number of service providers (sub-processors) to operate the Service, each of whom processes data only as needed to provide their function, and none of whom may use your information for their own purposes:

  • AI infrastructure providers, process the buying-intent prompts and company information needed to run audits (they do not receive your account email or payment information)
  • Payment processor, processes all payment information directly; we never see or store raw card data
  • Email delivery provider, sends transactional emails (magic links, notifications)
  • Cloud hosting and database provider, stores account, project, and audit data described above
  • Session/cache infrastructure provider, stores short-lived authentication tokens and rate-limiting data, never your account content

We maintain a data processing agreement (DPA) with each provider governing how they handle information on our behalf. A current list of our specific sub-processors is available on request by contacting us (see Section 12).

We may also disclose information if required by law, or in connection with a merger, acquisition, or sale of assets (with notice to affected users where required).

5. Data retention

Account and project data is retained as long as your account is active. If you delete your account (see Section 6), we distinguish two kinds of data rather than removing everything: personal data, your email, IP address logs, and the identity of anyone you invited as a collaborator, is anonymized so it's no longer tied to you individually. One narrow exception: if your email address is on our suppression list (for example, because a message to it bounced, or you unsubscribed from marketing emails), we retain that email address specifically, not the rest of your account data, to honor that bounce or opt-out status and prevent sending to it again. This is the only case where an email address is retained in identifiable form after account deletion. Audit content, the prompts, observations, evidence, and generated documents your account produced, is retained, not deleted, because it's data about companies and public buying-intent information, not personal data about you, and it continues to power the category-wide benchmarks the product relies on for every customer, including ones who've since left. The sole-proprietor/freelancer exception noted in Section 2 applies to this distinction too: if the "company" audited and the account holder are the same natural person, we handle removal requests for that content case by case rather than automatically.

Timeline for personal data removal: using the self-serve account deletion tool anonymizes your personal data immediately, this isn't a queued or delayed process. For requests that need manual review rather than the automated tool (for example, the sole-proprietor case above, or anything routed through the Grievance Officer in Section 6), we commit to completing removal within 90 days, the maximum period set by the DPDP Rules, 2025. The 90-day figure is a ceiling for the manual-review path, not a description of how long the ordinary self-serve flow takes.

6. Your rights

You can request a copy of your data or delete your account directly from your account settings, without contacting support, see your account settings. Account deletion anonymizes your personal identifiers as described in Section 5; it does not remove the audit content itself, consistent with that section. If you believe your specific situation requires full content erasure (for example, the sole-proprietor case above), contact us directly rather than relying on the self-serve tool, that request needs human review, not an automated deletion. Depending on your location, you may also have rights to correct inaccurate data, object to certain processing, or lodge a complaint with a data protection authority. Contact us using the details in Section 12 to exercise these rights.

Grievance Officer (required under India's DPDP Act, 2023): For any complaint or grievance regarding how your personal data is handled, contact:

Parth, Grievance Officer parth@citedintel.com Upfolio Labs Private Limited, Pune, Maharashtra, India

We acknowledge grievances within 3 business days and resolve them within 90 days, consistent with the maximum period set by the DPDP Rules, 2025. Acknowledging quickly matters as much as resolving within the legal window, you'll hear from us fast, even if a complex request takes longer to fully close out.

7. Cookies

We use cookies and similar technologies to operate the Service, including to keep you logged in, and may also use them to personalize your experience, understand how the Service is used (product analytics), and, where applicable, for advertising purposes. Where required by law, we will request your consent before setting non-essential cookies, and provide a way to manage your preferences.

8. International data transfers

If you're located outside the country where our servers operate, your data will be transferred internationally. We take steps designed to ensure such transfers are conducted in accordance with applicable data protection law.

9. Children's privacy

The Service is intended for business use and is not directed at, or knowingly used by, anyone under 18 (or the age of majority in their jurisdiction). We do not knowingly collect personal information from children.

10. Changes to this policy

We may update this Privacy Policy at any time. We'll post any changes here with an updated "Last updated" date, and notify active accounts by email of material changes.

11. Governing law and location

This policy, and Upfolio Labs Private Limited's data practices generally, are governed by the laws of India. The company is based in Pune, Maharashtra, India, confirmed, not assumed, so India's Digital Personal Data Protection Act (DPDP Act, 2023) applies here directly as the home-jurisdiction law, not as one of several possible regional frameworks to weigh. By using the Service, you agree that this policy and its enforcement are subject to Indian law. GDPR, CCPA, and other regional frameworks remain relevant on top of this wherever you personally are located, exactly as described in Section 8 (International data transfers), the DPDP Act being the home-jurisdiction law doesn't make those inapplicable if you're in the EU or California, it just means DPDP is the first review priority, not the only one.

12. Contact

Upfolio Labs Private Limited Pune, Maharashtra, India For any support or general questions about this policy, write to: support@citedintel.com For data protection grievances specifically, contact our Grievance Officer, Parth, at parth@citedintel.com (see Section 6)


© 2026 Upfolio Labs Private Limited. All rights reserved.